Downloadable ACL - LDAP and or ACS

darreng · ‎11-25-2012

Hello,

I have seen a number of posts about the above but I can't quite work out the answer to my problem.

I have set up some users to authenticate from an ASA to a Windows AD box using LDAP (NB my Windows admin did the AD bit). We have mapped 2 x test accounts to different VPN Groups using an LDAP Attribute Map - this works fine.

We have an ACS Server that isn't doing much and would like to test Downloadable ACL's. My reading suggests that I will have to do both authentication and authorisation on the ACS (Radius) and the LDAP config will become redundant. Is this correct, or, can I have LDAP / AD do the authentication and somehow use the ACS for the downloadable ACL's.

Any link giving examples would be great.

Thank you.

Darren

Dmitriy Tsaryapkin · ‎06-04-2013

Hello Darren.

First of all you must notice is that RADIUS is one special snowflake and it does not have thing called Authorization as a separate thing. What it does have is the moment users get authenticated Radius server straight away sends the reply with all the authorization parameters. That just it. No other way. Authentication an Authorization are one when you talk RADIUS. So what you might need is get a bit of reading on how RADIUS works.

Second question regarding examples. You might want to look at Cisco VPN course which covers that subject of downloadable ACLs and Radius / Tacacs differences. In this course you will find the labs and examples of configuring downloadble ACL.

Regards Dmitriy Tsaryapkin.

P.S. Though there are several options there when you can created LDAP maps and map some attributes in AD to ACLs created localy on ASA. Not sure about VPN's but it worked for me with Cut-Through Proxy authentication with attributes taken from LDAP.